On Wed, 2016-01-06 at 13:21 +0000, David Howells wrote:
> Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
>
> > The x509_validate_trust() was originally added for IMA to ensure, on a
> > secure boot system, a certificate chain of trust rooted in hardware.
> > The IMA MOK keyring extends this certificate chain of trust to the
> > running system.
>
> The problem is that because 'trusted' is a boolean, a key in the IMA MOK
> keyring will permit addition to the system keyring.

Advertising

Once the builtin keys are loaded onto the system keyring, isn't the
system keyring locked? Or is this the only mechanism used for locking?
Mimi
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html